[原文]The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information.

-
漏洞信息 (F39431)

Corsaire Security Advisory - The aim of this document is to clearly define a vulnerability in the HP Ignite-UX product, as supplied by HP Inc., that would allow unauthenticated access to a copy of the /etc/passwd file.

-- Corsaire Security Advisory --
Title: HP Ignite-UX passwd file disclosure issue
Date: 23.11.04
Application: HP Ignite-UX prior to version C.6.2.241
Environment: HP-UX
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c041123-001
-- Scope --
The aim of this document is to clearly define a vulnerability in the HP
Ignite-UX product, as supplied by HP Inc. [1], that would allow
unauthenticated access to a copy of the /etc/passwd file.
-- History --
Discovered: 23.11.04 (Martin O'Neal)
Vendor notified: 23.11.04
Document released: 16.08.05
-- Overview --
The HP Ignite-UX application "addresses the need for HP-UX system
administrators to perform system installations and deployment, often on
a large scale" [2]
As part of the installation process, the product can install and enable
a TFTP server to facilitate anonymous access to configuration data. In
certain circumstances, a copy of the /etc/passwd file will be moved into
the TFTP server tree and made available for anonymous access.
-- Analysis --
The HP Ignite-UX can use a TFTP server to facilitate anonymous access to
configuration data. When the make_recovery command is used, a copy of
the /etc/passwd file will be created in the TFTP server tree and made
available for anonymous access.
As of version B.3.2 of the product, the make_recovery command has been
depreciated in preference for the make_tape_recovery command (which
doesn't display the same issues), and as of version C.6.0 the
make_recovery command does not exist in the product at all. However, if
at any point make_recovery has been run on the host, a copy of the
/etc/passwd file may still remain within the TFTP server tree.
-- Proof of Concept -
Use a TFTP client to request the file referenced by the following path:
/var/opt/ignite/recovery/passwd.makrec
-- Recommendations --
Download and apply the HP Ignite-UX version C.6.2.241 patches.
Replace all usage of the make_recovery command with make_tape_recovery.
If in any doubt, disable the TFTP server.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004- 0951 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.hp.com
[2] http://software.hp.com/products/IUX/overview.html
-- Revision --
a. Initial release.
b. Released.
-- Distribution --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2005 Corsaire Limited. All rights reserved.

-
漏洞信息

-
漏洞描述

HP UX's Ignite-UX contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the /etc/passwd if the make_recovery command has been run by the administrator. The make_recovery utility copies /etc/passwd to the TFTP anonymous directories, which may lead to a loss of confidentiality.

-
时间线

公开日期:
2005-08-16

发现日期:
Unknow

利用日期:2005-08-16

解决日期:Unknow

-
解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, HP has released patches to address this vulnerability. From HP's software update site, search for the patch appropriate for your version of HP UX:
Ignite-UX-11-00_C.6.2.241_HP-UX_B.11.00_32+64.depot
Ignite-UX-11-11_C.6.2.241_HP-UX_B.11.00_32+64.depot
Ignite-IA-11-22_C.6.2.241_HP-UX_B.11.00_32+64.depot
Ignite-UX-11-23_C.6.2.241_HP-UX_B.11.00_32+64.depot

-
受影响的程序版本

-
不受影响的程序版本

-
漏洞讨论

During installation, Ignite-UX can use a TFTP server for remote access. Under some circumstances, a copy of the passwd file will be stored in the TFTP server path.

-
漏洞利用

There is no exploit code required.

-
解决方案

Apply the HP Ignite-UX version C.6.2.241 patches. HP has made patches available to HP-UX administrators for versions B.11.0, B.11.11, B.11.22, and B.11.23 (patch Ignite-UX_All_C.6.2.241.depot contains fixes for all four) at http://www.hp.com/go/softwaredepot. See the advisory in the reference section for complete details: